; Label inodes by using xattrs for supported filesystems.
(fsuse xattr ext4 local)
(fsuse xattr overlay local)
(fsuse xattr xfs local)

; Label inodes by using the type of the creating task.
(fsuse task eventpollfs any)
(fsuse task pipefs any)
(fsuse task sockfs any)

; Label inodes by deriving a type from the creating task.
(fsuse trans devpts any)
(fsuse trans devtmpfs any)
(fsuse trans hugetlbfs any)
(fsuse trans mqueue any)
(fsuse trans shm any)
(fsuse trans tmpfs any)

; Specify a context for filesystems that do not support other ways to label.
(genfscon autofs / any)
(genfscon bdev / any)
(genfscon binfmt_misc / any)
(genfscon bpf / any)
(genfscon cgroup / any)
(genfscon cgroup2 / any)
(genfscon debugfs / any)
(genfscon kvmfs / any)
(genfscon nsfs / any)
(genfscon proc / proc)
(genfscon pstore / any)
(genfscon ramfs / any)
(genfscon rootfs / any)
(genfscon securityfs / any)
(genfscon selinuxfs / any)
(genfscon sysfs / any)
(genfscon tracefs / any)

; Label most files.
(filecon "/.*" any os)

; Label entry points.
(filecon "/.*/usr/lib/systemd/systemd" file init_exec)
(filecon "/.*/usr/bin/mount" file mount_exec)
(filecon "/.*/usr/bin/apiserver" file api_exec)
(filecon "/.*/usr/bin/early-boot-config" file api_exec)
(filecon "/.*/usr/bin/migrator" file api_exec)
(filecon "/.*/usr/bin/storewolf" file api_exec)
(filecon "/.*/usr/bin/cfsignal" file api_exec)
(filecon "/.*/usr/bin/thar-be-settings" file api_exec)
(filecon "/.*/usr/bin/dbus-broker.*" file bus_exec)
(filecon "/.*/usr/sbin/chronyd" file clock_exec)
(filecon "/.*/usr/sbin/wicked.*" file network_exec)
(filecon "/.*/usr/libexec/wicked/bin/wicked.*" file network_exec)
(filecon "/.*/usr/lib/systemd/systemd-networkd.*" file network_exec)
(filecon "/.*/usr/bin/containerd.*" file runtime_exec)
(filecon "/.*/usr/bin/docker.*" file runtime_exec)
(filecon "/.*/usr/bin/host-ctr" file runtime_exec)
(filecon "/.*/usr/sbin/runc" file runtime_exec)
(filecon "/.*/usr/bin/shibaken" file api_exec)

; Label local storage mounts.
(filecon "/local" any local)
(filecon "/local/.*" any ())
(filecon "/opt" any local)
(filecon "/opt/.*" any ())
(filecon "/var" any local)
(filecon "/var/.*" any ())

; Label local state directories.
(filecon "/local/host-containers" any secret)
(filecon "/local/host-containers/.*" any secret)
(filecon "/local/bootstrap-containers" any secret)
(filecon "/local/bootstrap-containers/.*" any secret)
(filecon "/var/lib/chrony" any measure)
(filecon "/var/lib/chrony/.*" any measure)
(filecon "/var/lib/systemd" any state)
(filecon "/var/lib/systemd/.*" any state)
(filecon "/var/lib/systemd/random-seed" any secret)
(filecon "/var/lib/wicked" any lease)
(filecon "/var/lib/wicked/.*" any lease)
(filecon "/var/log/journal" any state)
(filecon "/var/log/journal/.*" any state)
(filecon "/var/lib/selinux" any state)
(filecon "/var/lib/selinux/.*" any state)
(filecon "/var/lib/netdog" any lease)
(filecon "/var/lib/netdog/.*" any lease)

; Label local directories for overlayfs mounts.
(filecon "/var/lib/cni-plugins" any state)
(filecon "/var/lib/cni-plugins/.*" any state)
(filecon "/var/lib/kernel-devel" any state)
(filecon "/var/lib/kernel-devel/.*" any state)
(filecon "/var/lib/kernel-modules" any state)
(filecon "/var/lib/kernel-modules/.*" any state)

; Label kernel filesystem mounts.
(filecon "/proc" any proc)
(filecon "/proc/.*" any ())
(filecon "/sys" any any)
(filecon "/sys/.*" any ())
(filecon "/dev" any any)
(filecon "/dev/.*" any ())

; Label tmpfs mounts.
(filecon "/etc" any etc)
(filecon "/etc/.*" any ())
(filecon "/tmp" any any)
(filecon "/tmp/.*" any ())
(filecon "/run" any any)
(filecon "/run/.*" any ())

; Label external filesystem mounts.
(filecon "/mnt" any local)
(filecon "/mnt/.*" any ())
(filecon "/media" any local)
(filecon "/media/cdrom" any local)
(filecon "/media/.*" any ())